A theme of this work is vulnerabilities in the "internal browser" some of the mobile password managers provide. Mobile password managers have internal browsers because it's not easy to extend the standard mobile browsers, and password managers want to automate the entry of passwords into form fields.<p>Don't use the internal browser of your password manager, no matter which one you use. There's too much that can go wrong, and the small convenience just isn't worth it.
So, all three of the LastPass issues have been fixed, and within two weeks of being reported, to boot:<p><pre><code> * 2016-08-22 Vulnerability Discovered
* 2016-08-24 Vulnerability Reported
* 2016-09-06 Vulnerability Fixed</code></pre>
One of the 1Password ones (<a href="https://team-sik.org/sik-2016-040/" rel="nofollow">https://team-sik.org/sik-2016-040/</a>) about leaking URLs is marked as fixed, however, that's a little misleading. It's fixed if you use their newer vault format, which has limitations, and is <i>not</i> selected by default when you create a new vault. I wrote this about it a while back: <a href="https://myers.io/2015/10/22/1password-leaks-your-data/" rel="nofollow">https://myers.io/2015/10/22/1password-leaks-your-data/</a>
This is why I still go to the trouble of PGP encrypting a file with my passwords, rather than relying on a password manager. I keep wanting to switch, but damn it, I just can't bring myself to have that much trust in them.<p>Edit: Thanks for the informative replies, the links, and the advice. I'm going to explore all of my options and re-think this.
Some older papers on security vulnerabilities of password managers:<p><a href="https://www.schneier.com/blog/archives/2014/09/security_of_pas.html" rel="nofollow">https://www.schneier.com/blog/archives/2014/09/security_of_p...</a><p>Any thoughts on Bruce Schneier's PasswordSafe password manager?
Tangentally related:<p><a href="https://github.com/SirCmpwn/pass-rotate" rel="nofollow">https://github.com/SirCmpwn/pass-rotate</a><p>I posted it on here the other day but it didn't go far. It's like youtube-dl but instead of downloading videos it changes your password on various online services. If you get your password compromised by vunlerabilities or whatnot it makes it easy to mass-rotate your passwords. Could use some help adding support for more websites if you're interested.<p></shameless promo>
I looked at the LastPass ones (all for Android) and they look relatively minor. The only real wtf is <a href="https://team-sik.org/sik-2016-022/" rel="nofollow">https://team-sik.org/sik-2016-022/</a> - hardcoding keys should be a big nope. Still, it happens only if you use a PIN rather than your master password; I hope this does not happen in iOS if you use TouchID...?
Site's down. Text-only cached version at least lets you read some of the content: <a href="http://webcache.googleusercontent.com/search?q=cache:kJ5Zk-7KPswJ:https://team-sik.org/trent_portfolio/password-manager-apps/&num=1&hl=en&gl=us&prmd=ivn&strip=1&vwsrc=0" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:kJ5Zk-7...</a>
We need the same kind of investigation for iOS, this kind of research was so much needed because after all this is where we store all of our entire internet identities, good job!
Just my brief experience of 2-3 hours with LastPass today. Broken javascript errors when trying to import. Searched for customer support, couldn't find any! How do I file bugs? Sign up and post to their web forum?<p>I noticed their website is made entirely in php. Not that php is bad, but this is possibly the worst choice for a web platform that holds secrets. At only $12 a year, they probably aren't trying very hard.
shocked I didn't' see bitwarden in here?<p>I use Bitwarden for some things (lots of testing, nothing serious). Given its OSS nature, i thought it might have had more traction.<p>For reference: <a href="https://github.com/bitwarden" rel="nofollow">https://github.com/bitwarden</a>